DDoS protection

Petr Lasek, RADWARE

June 3, 2016
 Our Track Record

Company Growth Patent-Protected Innovation

Behavioral analysis engine
USD
Millions
15%
221.9
Real-time signature creation
13% 2%
200.00 189.2 193.0
16% SSL DDoS protection
167.0
32%
150.00 144.1

15%
108.9
100.00
25%
13% 5%
81.4
9%
88.6
7%
94.6 Strategic Partnerships
77.6
25% 68.4
1% 54.8
50.00 43.7
DDoS OEM

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
SDN

2
What is DDoS Attack?
DDoS Attacks in Numbers
 Did You Know?
Internet pipe and application servers are most popular DDoS attacks in 2015

36% INTERNET PIPE

(Satu ration) 13% 8% 9% 33% 1%
FIREWALL IPS/IDS LOAD BALANCER THE SERVER SQL
(ADC) UNDER ATTACK SERVER

Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server

16
 Did You Know?

Outage; 16%

In the real world most attacks

Slowness; 46%
won’t result in outage, they will No impact; 37%
degrade your service-level

17
From the Client’s Side…

The Cost of Outage The Impact of Delay

* Source: Emulex Study, 2014 * Source: Gomez.com, Akamai.com, 2013

Clients have zero-tolerance to latency and outage

 Did You Know?
Application 49% Network 51%

9%
18%

23% 6%
~50% of Y2015 attacks were
16% Application Level (L7) attacks
16%
10%

VoIP 1% Web (HTTP/HTTPS) TCP- Other UDP ICMP

SMTP DNS IPv6 1% TCP-SYN Flood

19
 Did You Know?
60% 57%

40%
Burst Attacks on the rise 36%

20%
In 2015 - 57% were
considered “Burst” attacks 4%
2% 1%
0%
1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly

Another indication of -20%

increased Automated Attacks

2011 2012 2013 2014 2015

20
 Increased Attacks on Education and Hosting

Comparing to 2014
Most verticals stayed the same
Education and Hosting – increased
likelihood
Growing number of “help me DDoS my
school” requests
Motivations varies for Hosting
- Some target end customers
- Some target the hosting companies
2015 Change from 2014

21
Operational Application States

Normal Degradation Outage

All business operational scenarios

q
DDoS protection
 Security solutions?
Anti-DoS
Cloud Anti-
Protection Purpose Firewall IPS WAF Router ACLs Next Gen FW Appliance DLP
DoS
(CPE)

Data-At-Rest Protections
(Confidentiality)

Data-At-Endpoint
(Confidentiality)

Data-In-Transit (Confidentiality)

Network Infrastructure
Protection (Integrity)

Application Infrastructure
Protection (Integrity)

Volumetric Attacks
(Availability)

Non-Volumetric Resource
Attacks (Availability)
 Radware Attack Mitigation System
(AMS)
Shortest time
Widest security coverage
to protection

ERT single contact Integrated situational awareness

point and analysis

Slide 25
 Radware’s Security Solution Elements

Radware Emergency Response Team Centralized Management & Reporting

24x7 Security Experts APSolute Vision

On-Demand Cloud DDoS DoS protection Behavioral analysis IPS SSL protection WAF

On-Demand Cloud DDoS Service Attack Mitigation Device

DefensePipe DefensePro Web Application Firewall
+1TB mitigation capacity Throughput ranging 200Mbps – 300Gbps AppWall, Cloud WAF Service
Hybrid or Standalone Models

26
 DDoS Mitigation Solution
Scrubbing Cloud Protected Organization

NetFlow-based Attack
Detection

Internet Carrier Infrastructure

27
 DDoS Mitigation Solution
Scrubbing Cloud Protected Organization

NetFlow-based Attack
Detection

Internet Carrier Infrastructure

28
A Hybrid Solution is Needed

DDoS in-the-cloud alone provides insufficient protection

On-Demand Always-On

Scrub. Cloud On-Premise

Always-On DDoS on-premise with

DDoS in-the-cloud activated on-demand
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection

29
 Hybrid DDoS Mitigation Solution
Scrubbing Cloud Protected Organization

Internet Carrier Infrastructure

30
 Hybrid DDoS Mitigation Solution
Scrubbing Cloud Protected Organization

Internet Carrier Infrastructure

31
 Synchronized Operation - Example

Cloud Perimeter LAN

Radware
Cloud
Scrubbing

Attack Mitigation Device ADC

Traffic
Attack baseline is isAttack
diverted
synchronized
DDoS toand scrubbed
thelarger
grows and in
perimeter thetocloud
and
saturate the freeing
Radware’s the
Cloud
Internet internet pipe
Scrubbing
pipe Center
Scrubbing center - over 2 Tbps capacity
 FlownMon with DDoS Defender deployment scenario

Scrubbing Center
Dynamic Protection Policy
Anomaly Detection Deployment incl. Baselines via
Mitigation Enforcement Vision REST API
FlowMon with DDoSDefender

Traffic Diversion via

BGP Route Injection Best of Class
Attack Mitigation

Netflow Data Collection

Learning Baselines Attack Path Clean Path
Protected Object 1
e.g. Data Center,
Organization,
Service etc…

Service Provider Core

Edge Protected Object 2

Access

q
Multi-patent technology
 Radware Intellectual Property
Rich Security Patents Portfolio Secures Radware’s Attack Mitigation Solution

Dynamic Network SSL DDoS SIP Behavioral Application HTTP Behavioral Low & Slow
Protection Protection Protection Path Security Flood Behavioral Protection
(7,681,235) (13/ 425,978) (11/ 835,503) (7,882,555) (7,617,170) (7,607,170)

Signature Propagation Counter Attack Secured Application Network Real-time

Network Protection SDN RTS Signature
(11/ 869,067) (13/ 306,360) (61/ 658,134) (7,624,084) (7,836,496)

37
Multi-technology Protection
Multi-Vector Attacks Target All Layers of the Infrastructure

“Low & Slow” DoS

attacks (e.g.Slowloris)

SQL Injections XSS, CSRF

HTTP Floods Brute Force

Large volume network
flood attacks
SSL Floods App Misuse
Network Syn
Scan Floods

Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server

Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
 Multi-Technology Protection

Only a multi-technology solution can provide full protection from multi-vector threats
to prevent outage and minimize service-level degradation
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
 Clean traffic
DME Multi Purpose Multi Cores CPU’s
DDoS Mitigation Engine L7 Regex Acceleration ASIC
(160 Gbps)
(230 M PPS/ 300 Gbps)

& Reputation Engine

Behavioral-based protections

Hardwarová architektura

41
Dedicated Hardware to Fight Attacks
Non-Radware Radware
240 Million
PPS Attack traffic
does not impact
Attack legitimate traffic
Traffic

1MPPS
2MPPS
10Gbps 160 Gbps
Device handles
Capacity Capacity
attack traffic on
x MPPS the expense of
Legitimate Legitimate
legitimate
Traffic Traffic
traffic!
+ Attack

DefensePro Other IPS Solutions

42
Network Behavior Analysis – non-Radware solutions
Baseline of normal traffic Rate-Based Detection

Attack Alert!

Attack is not the only reason of unexpected increase of traffic volume:

- Marketing campaign
- Christmas / Eastern / Holiday shopping
- Video streaming of important events
- Web searching for information about important events
Network Behavior Analysis – Radware solution
Baseline of normal traffic TCP Flag Distribution Analysis
Rate Analysis 100,0%

50,0%

0,0%
SYN SYN-ACK ACK Data RST FIN-ACK

TCP Flag Distribution Analysis

Rate Analysis 100,0%

50,0%

0,0%
SYN SYN-ACK ACK Data RST FIN-ACK

q
IP based mitigation – non-Radware solutions
IP based mitigation
Legitimate
Baseline oftraffic is ineffective
normal traffic Attackers andSource
causes high
IP causing traffic increasefalse positive rate due to:
- Users behind CDN or Proxy
- Dynamic IP changing by Botnets
- User computers infected by botnets causing simultaneous Legitimate and Attack traffic
Network Behavior Analysis & RT Signature Technology

Public Network Degree of

Traffic Attack =
characteristics
Learning High
Inbound
Traffic

Blocking Rules Statistics Detection Engine

Signature
Narrowestparameters
filters
•Source/Destination
• Packet ID IP
Outbound
•• Source/Destination
Source IP Address Port
Traffic
•• Packet
Packet size
•• TTL
size RT Signatures
TTL (Time
(Time To
To Live)
Live)
• DNS Query
• Packet ID
• TCP sequence number
• More … (up to 20)
Protected Network
 Network Behavior Analysis & RT Signature Technology
Mitigation optimization process

Closed feedback

Initial Filter Public Network Degree of

Attack =
Learning Low
High
Start Final Filter
mitigation
0 Up to 10 sec 10+X sec
Blocking Rules Statistics Detection Engine

Filtered Traffic Narrowest filters

Initial filter is generated: Packet ID • Packet ID Degree of
Filter Optimization: • Source IP Address Attack =
Packet ID AND Source IP • Packet size High
Low
Packet ID AND Source IP AND • TTL (Time To Live)
(Negative
(Positive
Packet size
Feedback)
Packet
Real-TimeID AND Source IP AND
Signature
Packet size AND TTL
Protected Network
Beyond Primitive Source IP Blocking

Non-Radware Radware

Source IP Signature with

Address Only X.X.X.X
multiple parameters

Smart traffic blocking based on Real-Time Signature incorporating multiple

parameters comparing to primitive source IP address blocking

51
 How to identify attackers?

•SYN Protection – Challenge/Response flow

• Logic – cookie validated,
DP detected a SYN delayed binding
flood to pending
an endpoint
•Logic – storing received data before proxying

SYN SYN
SYN-ACK +Cookie SYN-ACK
ACK +Cookie ACK
Data Data
Real User
DefensePro
Target

Cookie is validated.
TCP Challenge passed - delayed binding begins
HTTP Redirect / Javascript - awaiting data packet with valid cookie

Slide 52
Challenge / response

53
Layered approach
Behavioral protections
Challenge response
Access control
Known vulnerabilities/tools

Application Server Network

Behavioral HTTP Flood DNS Protection Behavioral DoS

Protection

Anti-Scan SYN Protection

Available
Server Cracking
Service Connection Limit Out-Of-State

Signature Protection
Connection PPS Limit BL/WL
 VISIBILITY

Real Time Monitoring

Historical Reporting Engine
Customizable Dashboards
Event Correlation Engine
Advanced Forensics Reports
Compliance Reports
Ticket Work Flow Management
3rd Party Event Notifications
Role/User Based Access Control
Works with all Radware’s Security Modules

55
Summary

Hybrid
Multivector
NBA = IP agnostic!
DDoS: Unique SSL protection
 Encrypted Attacks Mitigation

Cloud Organization

Alteon

Attack Mitigation
SSL User Device ADC
(Transparent)

New SSL encrypted transaction arrives to the Attack Mitigation Device

 Encrypted Attacks Mitigation

Cloud Organization

Alteon

Attack Mitigation
SSL User Device ADC
(Transparent)

The transaction is identified as suspicious and redirected to Radware Alteon for decryption
 Encrypted Attacks Mitigation

Cloud Organization

Alteon

Challenges set Attack Mitigation

SSL User Device ADC
(Transparent)

Attack Mitigation Device send the user a challenge, re-encrypted by Alteon

 Encrypted Attacks Mitigation

Cloud Organization

Alteon

Attack Mitigation
OK
SSL User Device ADC
(Transparent)

If challenge answered OK, session redirected to the server

 Encrypted Attacks Mitigation

Cloud Organization

Alteon

Attack Mitigation
SSL User Device ADC
(Transparent)

Rest of the session passes through the Attack Mitigation Device directly to the servers with zero latency
petrl@radware.com
Summary

Hybrid
Multivector
NBA = IP agnostic!